On Thu, February 9, 2006 08:07, ludi wrote: > #!/bin/sh > HOME_ADDR= > > iptables -F OUTPUT > iptables -F INPUT > iptables -F FORWARD > > > #INPUT CHAIN :ACCESS SSH ,DROP ALL > iptables -A INPUT -p udp -i eth0 -s 0/0 -d $HOME_ADDR --dport 53 -j ACCEPT > iptables -A INPUT -p tcp -i eth0 -s 0/0 -d $HOME_ADDR --dport 22 -j ACCEPT > iptables -A INPUT -p udp -i eth0 -s 0/0 -d $HOME_ADDR --sport 53 -j ACCEPT > iptables -A INPUT -p tcp -i eth0 -s 0/0 -d $HOME_ADDR --dport 80 -j ACCEPT > iptables -A INPUT -p icmp -i eth0 -s 0/0 -d $HOME_ADDR -m limit > --limit 6/m --limit-burst 6 -j ACCEPT > iptables -A INPUT -i lo -s 0/0 -d 127.0.0.1/32 -j ACCEPT > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -P INPUT DROP I would move these last 3 lines to the top of the script : iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -s 0/0 -d 127.0.0.1/32 -j ACCEPT You want to DROP everything before your rules have been setup. Also, most packets are likely to the "ESTABLISHED,RELATED" rule so you want that to be one of the first rules to match to speed things up. Interface lo also receives a lot of traffic (well, here is does) and that's why I'd move that one too. You may want to add "-m state --state NEW" to the other rules. > iptables -A OUTPUT -o lo -s 127.0.0.1 -j ACCEPT > iptables -A OUTPUT -o eth0 -s $HOME_ADDR -j ACCEPT > iptables -P OUTPUT DROP Same here : move the policy rule to the top and add : iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Gr, Rob
